Fraudulent Apps back from the dead

February 23rd, 2012

Fraudulent Apps described by Symantec as Android.Steek in January this year seem to have re-emerged on the Google Android Market.  Google took out Android.Steek then but it seems that Android.Steek has come back.

These apps capitalize on popular app titles to spread quickly. All these apps have been made using Android App Inventor. All of them have twitter4J API Package. All these apps just request access to internet as the only permission. All these fraudulent apps share their code base with Android.Steek

When these apps are used, they will splash the screen with various advertisements. These advertisements require the user to register for various online promotions. These apps will not complete their stated function.  None of these apps do or have the code to accomplish the apps stated purpose. The app seems to be associated with a numerous ad-networks.

Below is the list of offending apps along with their authors.



Asta E Services

70s Ringtones (POPULAR!)

80s Ringtones (POPULAR!)

iPad 2 64 GB (For Android )

Xray App - Camera Based (Android)

Top Songs by Year

Watch TV on Mobile (No Fees)

15,000 Top Quality Music and..

Freebies Creations

Grocery Coupons | Deals Plus

Cheap Flights | Cheap Tickets


Typically the app will ask the user to tap on a button to get Coupons, download ringtones etc. After multiple redirections it will show the user an advertisement asking them to sign up. At the time of writing of this blog the prevalent advertisement was that of an online game. Below are the screen shots of the app “iPad 2 64 GB”




Author: Haroon Malik

Google Android Market is infected from new Plankton (Apperhand) variant

January 25th, 2012

More than a Million infected from new Plankton(Apperhand) variant on Google android market

Over the last few weeks, Appriva Threat intelligence lab has seen a new variant of Trojan.Android.Plankton emerge embedded in various apps on the Google Android Market. This variant calls ‘itself’apperhand.

At the time of writing blog, the following apps are being detected by Appriva and one other Antivirus vendor. From the Google Android market it is estimated that more than a million users could be infected.


App Author
Baloon Game Ogre Games
Deal or BE Millionaire Ogre Games
Counter Strike Ground Force Iapps7 inc
Sexy Ladies 1 redmicapps
Sexy Ladies 2 redmicapps
Sexy Ladies 3 redmicapps
Sexy Ladies 4 redmicapps

Normal">Just like the original Plankton malware this one too is included in seemingly legitimate apps by adding a background service.  When the app is run it sends the users Device-ID, Manufacturer, Model, source IP, Browser User-agent and Display Matrix to a remote server using a HTTP POST message ( It also can accept multiple commands from the remote server. We will view the different commands it can get from the server in a little while.  The background service in this version is called “Android SDK Provider” (previous versions had Android MDK Provider). This version like the last version can collect User information, read and modify bookmarks, create shortcuts on device home screen and modify the Homepage.

Like the previous version it creates a shortcut on the device home screen that sends a query to http://www.s*****


Fig 2: Hello Exchange between Malware and server


User Permissions

Here is some of the information the app has access to based on the permissions it requests. It goes well and beyond what is required to make a game app and advertising associated with it.


Coarse (network-based) location
Fine (GPS) location
Full Internet Access
Personal Information
Read & Modify Browser's history and bookmarks
Automatically Start at Boot

Table 1: Information available to malware based on permissions requested

Inside the Malware

The list of commands supported by the versions of the malware we downloaded shown the snippet below.


BOOKMARKS Collects Bookmark information
SHORTCUTS Adds home screen shortcuts
HOMEPAGE Modifies the Homepage
NOTIFICATIONS Displays notification on the users phone
COMMANDS_STATUS Get the status of a command

Table 2: Some of the commands of this malware

Fig 3: Malware Commands


The HOMEPAGE command is new in this version. This version actually has fewer commands than the previous version (HISTORY & UPDATE). This is probably to lessen the likelihood of being detected. However while analyzing the code we did find out that the code infrastructure for these commands is present and these commands can be incorporated at a future point.

Fig 4: Malware collecting Device information


Author: Haroon Malik and Summaira Zafar